[After reading through the lists and charters at OpenLDAP.org, I wasn't
sure if this list was the right place to address my question, now that
the 'general' list seems to be gone. Please direct me elsewhere if
it's the wrong place.]
In any case...
o We're running iPlanet directory server 4.12: one master and three
replicas behind an Alteon.
o We're using the OpenLDAP 2.0.7 client libs and PADL nss_ldap
packages for all Solaris 2.6 x86 clients.
o We've set up an "anonymous" account called 'proxyagent' with which
we query user account/auth information from LDAP. 'proxyagent' has a
password, although openldap/etc/ldap.conf doesn't seem to have a
BINDPW option.
The environment looks roughly like this:
ldap-master
|
--alteon---
| | |
ldap1 ldap2 ldap3
(replicates)
So, here's the problem.
We simply can't query anything when we point openldap/etc/ldap.conf at
the load-balanced address (or any of the single machines!) when we use
the OpenLDAP client libs. For instance, we get the following message
when we try to query ldap1, ldap2, ldap3 or ldap.my.domain:
$ ./ldapsearch -b o=my.domain -D "cn=proxyagent,ou=profile, o=my.domain" \
-w proxy_agent_pass -h ldap.my.domain uid=nvp
ldap_bind: Referral
$ ./ldapsearch -b o=my.domain -D "cn=proxyagent,ou=profile, o=my.domain" \
-w proxy_agent_pass -h ldap1.my.domain uid=nvp
ldap_bind: Referral
So, what's with this Referral message? It's as if ldap.my.domain is
redirecting queries to ldap-master.my.domain but isn't able to follow
the referral. NOTE: the load-balanced replicates aren't configured to
pass any (explicit) referrals to ldap-master.my.domain.
I built the OpenLDAP 2.0.7 client with the following options:
./configure --prefix=/usr/local/openldap --disable-debug
--disable-slapd --disable-slurpd --enable-static
--enable-shared
I had originally enabled V2 referrals but that didn't fix the problem,
so I took them out again.
In addition, here's my ldap.conf:
HOST ldap.my.domain
BASE o=my.domain
URI ldap://ldap.my.domain
BINDDN cn=proxyagent,ou=profile,o=my.domain
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
I should also note that for the native Solaris 8 LDAP client stuff,
we're not having any problems querying ldap.my.domain and getting
results. So, I'm pretty sure that the load balancing is configured
correctly.
Hope that this is enough info! Please let me know if you have any
questions, and looking forward to seeing what you've got to say!
--
Nate, aka "Lars Dullrich", Unix System Administrator
-- Not speaking on behalf of any other person or company.--